Privilege Reference
In the Coveo Cloud privilege system, each domain can be associated to one or more access levels to form a privilege, which allows an API key or a group of users to perform certain operations in the Coveo Administration Console (see Manage Privileges and Navigate the Privileges Tab).
However, although many domains offer a View and an Edit access level, the abilities represented by these access levels may differ from domain to domain. Some domains also offer different access level options such as Allowed or Push. So, to help you grant the appropriate privilege to groups of users or API keys, this page details what your grantee can do when granted each access level option for each domain. In the Coveo Administration Console, domains of privilege are grouped by service, and this page uses the same arrangement. Use the In This Article menu on the right-hand side of the page to browse the services and domains.
The operation of granting privileges isn’t to be taken lightly, as insufficient privileges can hinder task accomplishment, while inadequate or unnecessary privileges could lead to accidents or misuse. When allowed to delegate powers, you should have a good understanding of how the Coveo Cloud privilege system works and be well aware of the implications of each choice you make. In this regard, we recommend thoroughly reading the privilege documentation before granting privileges or editing a privilege set, and enforcing the principle of least privilege, i.e., granting just enough privileges for the grantee to perform their tasks (see Manage Privileges and Principle of Least Privilege).
In the tables below, the typical grantees associated to a privilege are mostly the built-in groups that are granted this access level by default. Members of the Administrators group are always granted the highest access level. When API keys appears in the Typical grantee column, it indicates that the corresponding privilege is frequently granted to an API key so that an external application can communicate with Coveo Cloud.
Analytics Service
Administrate Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
Allowed |
This privilege is especially potent since grantees can delete usage analytics data and could inadvertently corrupt it as well. |
|
Analytics Data Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View |
|
|
Push | Send analytics events to Coveo Usage Analytics (Coveo UA) (see Manage API Keys) | OAuth tokens, API keys, and search tokens assigned to a process such as a search interface |
Push and view |
|
Administrators |
Data Exports Domain
The Data exports domain access levels are ineffective without the View access level on the Analytics data domain (see Analytics Data Domain).
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | View and download usage analytics data exports containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range (see Manage Data Exports) |
|
Edit |
|
|
Delete User Data Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
Allowed | Delete usage analytics user data
This privilege is especially potent since grantees can delete usage analytics user data. This can break existing dashboards and reports and also render some data sets inaccurate. |
|
Dimensions Domain
The Dimensions domain access levels are ineffective without the View access level on the Analytics data domain (see Analytics Data Domain).
Access level | Grantee abilities | Typical grantees |
---|---|---|
View |
|
Analytics viewers |
Edit | Add, edit, or delete dimensions created by Coveo organization members (see Manage Dimensions on Custom Metadata) |
|
Impersonate Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
Allowed | Allow a custom process or bot to push usage analytics events with different identities |
|
Incoherent Events Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View |
View incoherent events (see Review Incoherent Usage Analytics Events) |
Administrators |
Named Filters Domain
The Named filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | View named filters (see Manage Named Filters) |
Analytics viewers |
Edit | Add, edit, or delete named filters (see Manage Named Filters) |
|
Permission Filters Domain
The Permission filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | View permission filters restricting the usage analytics data that analysts can review in reports (see Manage Permission Filters) Without the View access level, you can't see the permissions filters that are assigned to your identity in reports. |
|
Edit | Add, edit, or delete permission filters (see Manage Permission Filters) The Edit access level is ineffective without the View access level on the Groups domain (see Groups Domain). |
Administrators |
Reports Domain
The Reports domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | View usage analytics reports (see Review and Manage Dashboards and Review and Manage Explorers) |
Analytics viewers |
Edit | Add, edit, or delete usage analytics reports (see Manage Usage Analytics Reports) The Edit access level is ineffective without the Allowed access level on the Administrate domain (see Administrate Domain). |
|
Suggest Queries Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
Allowed | Allow a process such as a search interface to receive query suggestions from the Coveo Analytics service (see About Usage Analytics Service Query Suggestions) |
|
View All Reports Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
Allowed | View all reports, regardless of report accesses (see Manage Access to Usage Analytics Reports). Members that don't have this access level can only review the reports they're explicitly allowed to access. This privilege is especially potent since grantees bypass report permissions and could therefore access sensitive information that they wouldn't be allowed to access otherwise. |
|
Commerce Service
Catalog Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | View catalogs and catalog configuration. |
|
Edit | Add, edit, or delete catalogs. |
Administrators |
Content Service
Connectivity Diagnostic Logs
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | Download activity logs |
|
Crawling Module
Access level | Grantee abilities | Typical grantees |
---|---|---|
View |
|
|
Edit | This access level allows a Crawling Module instance to report its status to the Coveo Platform (see Monitor the Crawling Module). Granting this access level to groups of users doesn't give them any additional capabilities. |
|
1: Only content managers and users of organizations created after November 19th, 2019 are granted this privilege by default. Content managers and users of older organizations can be granted this privilege manually if needed (see Grant Privileges).
2: Administrators are granted the highest access level for all domains, including Crawling Module. However, in this case, having the Edit access level instead of View doesn’t grant them any additional capabilities. It only makes a difference for Crawling Module API keys, which require the Edit access level (see Coveo On-Premises Crawling Module).
Extensions Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View all | View the code and usage statistics of available extensions assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues (see Manage Extensions). |
||
Custom1 | View | View the code and usage statistics of the specified extensions. This is especially useful when troubleshooting cases such as item indexing issues (see Manage Extensions). | |
Edit | Add code snippets to apply transformations to included items such as adding or modifying metadata (see Add or Edit Indexing Pipeline Extensions). We recommend that you grant this privilege to developers only. | ||
Edit all | Add code snippets to apply transformations to included items such as adding or modifying metadata (see Add or Edit Indexing Pipeline Extensions). We recommend that you grant this privilege to developers only. |
|
1: See Custom Access Level.
Fields Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | View fields and field configuration (see Manage Fields) |
Users |
Edit |
|
|
Logical Indexes Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | When your organization has more than one index:
|
|
Edit | Required to use an upcoming feature. Granting this access level to groups of users doesn't give them any additional capabilities yet. |
|
Security Identities Domain
The Security identities domain access levels are ineffective without the View access level on the Security identity providers domain (see Security Identity Providers Domain).
Access level | Grantee abilities | Typical grantees |
---|---|---|
View |
|
|
Edit | Only required by certain API calls (e.g., enable all disabled entities in security cache). Granting this access level to groups of users doesn't give them any additional capabilities. |
Administrators |
Security Identity Providers Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View |
|
|
Edit |
|
Administrators |
Sources Domain
-
To review source content in the Content Browser, you must have the Allowed access level on the Execute queries domain (see Inspect Items With the Content Browser and Execute Queries Domain).
-
Unlike for other resources, the ability to create sources can be granted without the Edit access level. You can therefore grant a group or API key the View all or Custom access level for the Sources domain and check the Can Create check box to allow users to create resources in this domain.
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View all |
|
Users |
|
Custom1 | View |
|
API keys |
Edit |
|
||
Edit all |
|
|
1: See Custom Access Level.
Machine Learning Service
Models Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | View Coveo Machine Learning models |
|
Edit | Add, edit, or delete machine learning models, and therefore optimize search results relevance and search experience in general (see Manage Machine Learning Models). |
|
User Profiles Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | View the Coveo Machine Learning user profile made for each user or visitor ID |
|
Edit | Edit the Coveo Machine Learning user profile made for each user or visitor ID |
Administrators |
Organization Service
API Keys Domain
This domain is only available when configuring groups, as API keys can’t be granted the privilege to view or edit other API keys (see Manage Groups).
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View all |
View in read-only mode the configuration of all API keys (see Manage API Keys). |
|
|
Custom1 | View |
View in read-only mode the configuration of specific API keys (see Manage API Keys). |
|
Edit |
Edit, delete, activate, and disable specific API keys (see Manage API Keys and Custom Access Level) |
||
Edit all |
Add, edit, delete, activate, and disable all API keys (see Manage API Keys and Custom Access Level) |
Administrators |
1: See Custom Access Level.
Activities Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View |
View all organization activities (see Review All Events Related to Coveo Administration Console Resources) A member with the View access level could see activities from Administration Console pages for which they're not granted any access levels. |
|
|
Edit |
Send custom activities to Coveo Cloud (see Add or Edit a Push Source) |
|
Elasticsearch Indexes Domain
This domain is only available in organizations with an Elasticsearch index (see License Information).
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View |
|
|
|
Edit |
|
Administrators |
Critical Updates Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View |
Access the list of available critical updates |
||
Edit |
Enable/disable critical updates in the organization |
Administrators |
Groups Domain
Grant the Edit or Edit all access level for the Groups domain only to a few people, ideally the authority in your company that manages access rights in corporate systems.
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View all |
|
Analytics managers |
|
Custom1 | View |
View groups, including their privileges (see Manage Groups) |
|
Edit |
|
|
|
Edit all |
This privilege is especially potent since grantees can use it to add anyone, including themselves, to any organization group. This can lead to privilege escalation. |
Administrators |
1: See Custom Access Level.
2: By default, members of the Relevance Managers built-in group can edit this group only. This allows them to invite other people in the Relevance Managers group, but not in other groups.
Notifications Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View |
View organization notifications (see Manage Notifications) |
|
|
Edit |
Edit and delete organization notifications (see Manage Notifications) |
Administrators |
On-Premises Administration Domain
The privileges of this domain are required by the Coveo On-Premises Crawling Module API keys only (see Coveo On-Premises Crawling Module and Manage API Keys). Granting these privileges to groups of users doesn’t give them any additional capabilities.
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View | |||
Edit | This access level, when granted to a Coveo On-Premises Crawling Module API key, allows the Crawling Module to communicate with the Coveo Platform (see Coveo On-Premises Crawling Module and Manage API Keys). Granting it to users or groups doesn't give them any additional capabilities. |
|
1: Administrators are granted the highest access level for all domains, including On-Premises Organization. However, in this case, having the Edit access level instead of View doesn’t grant them any additional capabilities. It only makes a difference for Crawling Module API keys, which require the Edit access level (see Coveo On-Premises Crawling Module).
Organization Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View |
|
|
|
Edit |
|
Administrators |
1: This ability only applies to groups of users and is irrelevant for API keys.
Single Sign-On Identity Provider Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View | View SAML single sign-on settings (see Coveo Cloud SAML SSO) | ||
Edit | Configure SAML single sign-on for the organization and edit the single sign-on settings | Administrators |
Snapshots Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View |
|
||
Edit |
|
|
Temporary Access Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View | View who at Coveo has asked for and been granted temporary access to your organization, as well as the privileges they were granted | ||
Edit | Revoke temporary access to your organization | Administrators |
Search Service
Execute Queries Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
Allowed | For organization members and API keys to send queries and get search results in search pages connected to their Coveo organization (see Searching With Coveo Cloud) |
|
Impersonate Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
Allowed |
Obtain a search token for a search interface that replicates a permission system to perform queries with the end-user identity and return only results the user is authorized to see. This privilege is especially potent since grantees can impersonate any user and access in search results the content accessible to this user. Grantees could therefore access sensitive items that they can't normally access in the original repositories. |
|
Modify Authentication Provider Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
Allowed | Manage authentication for sources that index permissions, such as when they're secured with SharePoint claims-based identities |
|
Query Logs Domain
Access level | Grantee abilities | Typical grantees |
---|---|---|
View | In the Consumption Dashboard, download a list of the queries performed in a hub during a certain month (see Using the Search Consumption Dashboard) |
Administrators |
Query Pipelines Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View all |
|
||
Custom1 | View |
|
|
Edit |
|
||
Edit all |
Optimize results relevance and search experience in general:
|
|
1: See Custom Access Level.
Salesforce Index Configuration Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View |
Link a Coveo organization to a Salesforce organization that uses a Salesforce index
|
Administrators | |
Edit |
Search Pages Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View |
Access the search pages hosted by the Coveo organizations of which a user is a member |
Users |
|
Edit |
The Edit access level is a sensitive privilege which is typically granted only to administrators. This privilege should remain limited to avoid being exploited by malicious users who could enter unwanted code and put search page users at risk.
|
Administrators |
Search Usage Metrics Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
View | View the Consumption Dashboard | Relevance managers | |
Edit | In the Consumption Dashboard, edit the entitlement metric of a search hub | Administrators |
View All Content Domain
Access level | Grantee abilities | Typical grantees | |
---|---|---|---|
Allowed |
Browse all the content of a Coveo organization index, and therefore be able to troubleshoot search issues (see Inspect Items With the Content Browser) This privilege is especially potent since grantees bypass the content permissions and could therefore access sensitive items that they can't normally access in the original repositories. |
Administrators |